Re: [IPsec] Last Call: <draft-kivinen-ipsecme-signature-auth-06.txt> (Signature Authentication in IKEv2) to Proposed Standard
Johannes Merkle <johannes.merkle@secunet.com> Fri, 04 July 2014 14:29 UTC
Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D08B1B2CF1 for <ipsec@ietfa.amsl.com>; Fri, 4 Jul 2014 07:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Level:
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zT0cQX-cGAa1 for <ipsec@ietfa.amsl.com>; Fri, 4 Jul 2014 07:29:27 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16E791B2D34 for <ipsec@ietf.org>; Fri, 4 Jul 2014 07:29:26 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 4A6891A0091 for <ipsec@ietf.org>; Fri, 4 Jul 2014 16:29:23 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RJLS0vWaddyU for <ipsec@ietf.org>; Fri, 4 Jul 2014 16:29:18 +0200 (CEST)
Received: from mail-gw-int (unknown [10.53.40.207]) by a.mx.secunet.com (Postfix) with ESMTP id E71631A008F for <ipsec@ietf.org>; Fri, 4 Jul 2014 16:29:18 +0200 (CEST)
Received: from [10.53.40.204] (port=13919 helo=mail-essen-01.secunet.de) by mail-gw-int with esmtp (Exim 4.80 #2 (Debian)) id 1X34UK-0002Hv-23 for <ipsec@ietf.org>; Fri, 04 Jul 2014 16:29:20 +0200
Received: from [10.208.1.76] (10.208.1.76) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.195.1; Fri, 4 Jul 2014 16:29:19 +0200
Message-ID: <53B6BA3F.40509@secunet.com>
Date: Fri, 04 Jul 2014 16:29:19 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ipsec@ietf.org
References: <20140701161112.18036.94027.idtracker@ietfa.amsl.com>
In-Reply-To: <20140701161112.18036.94027.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.208.1.76]
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Pa-qjcrJR8YHGUqtsXWbS7_hBiU
Subject: Re: [IPsec] Last Call: <draft-kivinen-ipsecme-signature-auth-06.txt> (Signature Authentication in IKEv2) to Proposed Standard
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 14:29:30 -0000
Nice work, the wording is really improved. However, I still have two comments: 1. The wording in A.4 is confusing. With RSASSA-PSS, the algorithm object identifier is always id-RSASSA- PSS, but the hash function is taken from the optional parameters, and is required. It is not the hash function or the optional parameters that are required but the OID id-RSASSA-PSS. Secondly, the "but" in the second part of the sentence indicates some contrast but I don't see one. Furthermore, not only the hash function is determined from the parameters but also the other options for the padding. Why not changing the text to With RSASSA-PSS, the algorithm object identifier must always be id-RSASSA-PSS, and the hash function and padding parameters are conveyed in the optional parameters. 2. The wording in A.4.1 is also not unambiguous: Parameters are empty, but the ASN.1 part of the sequence must be there. This means default parameters are used (same as the next example). Here "next example" does not refer to the example following immediately after this paragraph but to the example in the next section. A reference to A.4.2 should be included. -- Johannes The IESG wrote on 01.07.2014 18:11: > > The IESG has received a request from the IP Security Maintenance and > Extensions WG (ipsecme) to consider the following document: > - 'Signature Authentication in IKEv2' > <draft-kivinen-ipsecme-signature-auth-06.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2014-07-15. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > > > The Internet Key Exchange Version 2 (IKEv2) protocol has limited > support for the Elliptic Curve Digital Signature Algorithm (ECDSA). > The current version only includes support for three Elliptic Curve > groups, and there is a fixed hash algorithm tied to each group. This > document generalizes IKEv2 signature support to allow any signature > method supported by the PKIX and also adds signature hash algorithm > negotiation. This is a generic mechanism, and is not limited to > ECDSA, but can also be used with other signature algorithms. > > > > > The file can be obtained via > http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-signature-auth/ > > IESG discussion can be tracked via > http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-signature-auth/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > This draft updates RFC5996, however RFC5996 is in process of being updated in RFC5996-bis and will likely be published before this draft. Each mention of RFC5996 should be replaced with the new RFC number for RFC5996-bis once a number has been assigned. > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > -- Mit freundlichen Grüßen, Dr. Johannes Merkle Principal Beratung, Elektronische Identitäten Public Sector secunet Security Networks AG Mergenthaler Allee 77 65760 Eschborn Germany Telefon +49 201 54 54-3091 Telefax +49 201 54 54-1325 Mobil +49 175 2224439 johannes.merkle@secunet.com www.secunet.com
- [IPsec] Last Call: <draft-kivinen-ipsecme-signatu… The IESG
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Johannes Merkle
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Tero Kivinen
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Johannes Merkle
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Johannes Merkle
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Tero Kivinen
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Tero Kivinen
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sig… Johannes Merkle